]>
Commit | Line | Data |
---|---|---|
31652869 | 1 | /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ |
7364bd04 | 2 | |
3 | /* | |
4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | |
11 | * 2. Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in the | |
13 | * documentation and/or other materials provided with the distribution. | |
14 | * | |
15 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR | |
16 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
17 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
18 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
19 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
20 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
21 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
22 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
24 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
25 | */ | |
26 | ||
27 | #include "includes.h" | |
28 | ||
29 | #ifdef GSSAPI | |
30 | #ifdef KRB5 | |
31 | ||
31652869 | 32 | #include <sys/types.h> |
33 | ||
24436b92 | 34 | #include <stdarg.h> |
28cb0a43 | 35 | #include <string.h> |
36 | ||
7364bd04 | 37 | #include "xmalloc.h" |
31652869 | 38 | #include "key.h" |
39 | #include "hostfile.h" | |
40 | #include "auth.h" | |
7364bd04 | 41 | #include "log.h" |
42 | #include "servconf.h" | |
43 | ||
31652869 | 44 | #include "buffer.h" |
7364bd04 | 45 | #include "ssh-gss.h" |
46 | ||
47 | extern ServerOptions options; | |
48 | ||
749560dd | 49 | #ifdef HEIMDAL |
071970fb | 50 | # include <krb5.h> |
749560dd | 51 | #else |
a8d3dd47 | 52 | # ifdef HAVE_GSSAPI_KRB5_H |
071970fb | 53 | # include <gssapi_krb5.h> |
a8d3dd47 | 54 | # elif HAVE_GSSAPI_GSSAPI_KRB5_H |
071970fb | 55 | # include <gssapi/gssapi_krb5.h> |
56 | # endif | |
749560dd | 57 | #endif |
7364bd04 | 58 | |
59 | static krb5_context krb_context = NULL; | |
60 | ||
61 | /* Initialise the krb5 library, for the stuff that GSSAPI won't do */ | |
62 | ||
aff51935 | 63 | static int |
d2e302d7 | 64 | ssh_gssapi_krb5_init(void) |
7364bd04 | 65 | { |
66 | krb5_error_code problem; | |
67 | ||
68 | if (krb_context != NULL) | |
69 | return 1; | |
70 | ||
71 | problem = krb5_init_context(&krb_context); | |
72 | if (problem) { | |
73 | logit("Cannot initialize krb5 context"); | |
74 | return 0; | |
75 | } | |
7364bd04 | 76 | |
77 | return 1; | |
78 | } | |
79 | ||
80 | /* Check if this user is OK to login. This only works with krb5 - other | |
81 | * GSSAPI mechanisms will need their own. | |
82 | * Returns true if the user is OK to log in, otherwise returns 0 | |
83 | */ | |
84 | ||
85 | static int | |
86 | ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) | |
87 | { | |
88 | krb5_principal princ; | |
89 | int retval; | |
90 | ||
91 | if (ssh_gssapi_krb5_init() == 0) | |
92 | return 0; | |
93 | ||
94 | if ((retval = krb5_parse_name(krb_context, client->exportedname.value, | |
95 | &princ))) { | |
96 | logit("krb5_parse_name(): %.100s", | |
97 | krb5_get_err_text(krb_context, retval)); | |
98 | return 0; | |
99 | } | |
100 | if (krb5_kuserok(krb_context, princ, name)) { | |
101 | retval = 1; | |
102 | logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", | |
103 | name, (char *)client->displayname.value); | |
104 | } else | |
105 | retval = 0; | |
106 | ||
107 | krb5_free_principal(krb_context, princ); | |
108 | return retval; | |
109 | } | |
110 | ||
111 | ||
112 | /* This writes out any forwarded credentials from the structure populated | |
113 | * during userauth. Called after we have setuid to the user */ | |
114 | ||
115 | static void | |
116 | ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | |
117 | { | |
118 | krb5_ccache ccache; | |
119 | krb5_error_code problem; | |
120 | krb5_principal princ; | |
121 | OM_uint32 maj_status, min_status; | |
5d464804 | 122 | int len; |
7364bd04 | 123 | |
124 | if (client->creds == NULL) { | |
125 | debug("No credentials stored"); | |
126 | return; | |
127 | } | |
128 | ||
129 | if (ssh_gssapi_krb5_init() == 0) | |
130 | return; | |
131 | ||
749560dd | 132 | #ifdef HEIMDAL |
7364bd04 | 133 | if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { |
134 | logit("krb5_cc_gen_new(): %.100s", | |
135 | krb5_get_err_text(krb_context, problem)); | |
136 | return; | |
137 | } | |
749560dd | 138 | #else |
937eb918 | 139 | if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) { |
140 | logit("ssh_krb5_cc_gen(): %.100s", | |
141 | krb5_get_err_text(krb_context, problem)); | |
142 | return; | |
749560dd | 143 | } |
144 | #endif /* #ifdef HEIMDAL */ | |
7364bd04 | 145 | |
aff51935 | 146 | if ((problem = krb5_parse_name(krb_context, |
7364bd04 | 147 | client->exportedname.value, &princ))) { |
148 | logit("krb5_parse_name(): %.100s", | |
149 | krb5_get_err_text(krb_context, problem)); | |
150 | krb5_cc_destroy(krb_context, ccache); | |
151 | return; | |
152 | } | |
153 | ||
154 | if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) { | |
155 | logit("krb5_cc_initialize(): %.100s", | |
156 | krb5_get_err_text(krb_context, problem)); | |
157 | krb5_free_principal(krb_context, princ); | |
158 | krb5_cc_destroy(krb_context, ccache); | |
159 | return; | |
160 | } | |
161 | ||
162 | krb5_free_principal(krb_context, princ); | |
163 | ||
aff51935 | 164 | if ((maj_status = gss_krb5_copy_ccache(&min_status, |
7364bd04 | 165 | client->creds, ccache))) { |
166 | logit("gss_krb5_copy_ccache() failed"); | |
167 | krb5_cc_destroy(krb_context, ccache); | |
168 | return; | |
169 | } | |
170 | ||
171 | client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); | |
172 | client->store.envvar = "KRB5CCNAME"; | |
5d464804 | 173 | len = strlen(client->store.filename) + 6; |
174 | client->store.envval = xmalloc(len); | |
175 | snprintf(client->store.envval, len, "FILE:%s", client->store.filename); | |
7364bd04 | 176 | |
749560dd | 177 | #ifdef USE_PAM |
178 | if (options.use_pam) | |
5d464804 | 179 | do_pam_putenv(client->store.envvar, client->store.envval); |
749560dd | 180 | #endif |
181 | ||
7364bd04 | 182 | krb5_cc_close(krb_context, ccache); |
183 | ||
184 | return; | |
185 | } | |
186 | ||
187 | ssh_gssapi_mech gssapi_kerberos_mech = { | |
188 | "toWM5Slw5Ew8Mqkay+al2g==", | |
189 | "Kerberos", | |
190 | {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"}, | |
191 | NULL, | |
192 | &ssh_gssapi_krb5_userok, | |
193 | NULL, | |
194 | &ssh_gssapi_krb5_storecreds | |
195 | }; | |
196 | ||
197 | #endif /* KRB5 */ | |
198 | ||
199 | #endif /* GSSAPI */ |